It's true that USB defender will not detach any device unless the LEM has a rule that causes that to happen. If you have LEM deployed, there is a rule template included called "Template: Detach Unauthorized USB Device." It includes in the example conditions a "white-list" of authorized devices.

I've even seen a rule that could be used to white-list devices easily. Basically, it was "If a USB device is plugged into [SPECIFIC NODE], then add it to the white-list." The admin had his workstation as the [SPECIFIC NODE], so anything he connected was added to the white-list. He ran through all the devices his company allowed, and then disabled the rule. If he needs to add more to the white-list, he can re-enable the rule, but otherwise his workstation is subject to the same rules as anyone else.

It's also worth noting that we don't even pass mice/keyboards on to USB-Defender, only mass storage devices, network devices, and phones. You likely won't even see events when these devices are plugged in, unless you're using the "Extended" USB-Defender connector, in which case you should be careful.

USB Defender local policy is similar, we ignore things that aren't mass storage, network, and phones (anything that could walk data off).

Actions

More Like This

Retrieving data ...

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 130,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining.